
 <!DOCTYPE HTML>
<html>
<head><meta name="generator" content="Hexo 3.9.0">
  <meta charset="UTF-8">
  
    <title>OpenWrt DNS-over-Https纯净上网 | Zong&#39;s blog</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=3, minimum-scale=1">
    
    <meta name="author" content="Zong">
    
    <meta name="description" content="最近发现DNS很不稳定，我们公司的正常域名在福建解析不出了，以前在家里路由设置的科学上网DNS也不行了（ss-tunel转发），还一度怀疑是ss的问题，折腾了两天，郁闷。。。按网上方法使用chinadns、dns-forwarder试了一下也不行。既然知道问题是DNS，那这问题必须要解决！
DNS-">
    
    
    
    
    
    <link rel="icon" href="/img/favicon.ico">
    
    
    <link rel="apple-touch-icon" href="/img/pacman.jpg">
    <link rel="apple-touch-icon-precomposed" href="/img/pacman.jpg">
    
    <link rel="stylesheet" href="/css/style.css">
</head>
</html>
  <body>
    <header>
      <div>
		
			<div id="imglogo">
				<a href="/"><img src="/img/logo.svg" alt="Zong&#39;s blog" title="Zong&#39;s blog"/></a>
			</div>
			
			<div id="textlogo">
				<h1 class="site-name"><a href="/" title="Zong&#39;s blog">Zong&#39;s blog</a></h1>
				<h2 class="blog-motto">日常积累，技术分享</h2>
			</div>
			<div class="navbar"><a class="navbutton navmobile" href="#" title="Menu">
			</a></div>
			<nav class="animated">
				<ul>
					<ul>
					 
						<li><a href="/">Home</a></li>
					
						<li><a href="/archives">Archives</a></li>
					
						<li><a href="/categories/运维">运维</a></li>
					
						<li><a href="/categories/容器架构">容器架构</a></li>
					
					<li>
					
					<form class="search" action="//baidu.com/s" method="get" accept-charset="utf-8">
						<label>Search</label>
						<input type="text" id="search" name="wd" autocomplete="off" maxlength="20" placeholder="Search" />
                        <input name=tn type=hidden value="bds">
                        <input name=cl type=hidden value="3">
                        <input name=ct type=hidden value="2097152">
						<input type="hidden" name="si" value="www.lstop.pub">
					</form>
					
					</li>
				</ul>
			</nav>			
</div>

    </header>
    <div id="container">
      <div id="main" class="post" itemscope itemprop="blogPost">
	<article itemprop="articleBody"> 
		<header class="article-info clearfix">
  <h1 itemprop="name">
    
      <a href="/2019/04/11/OpenWrt-DNS-over-Https纯净上网/" title="OpenWrt DNS-over-Https纯净上网" itemprop="url">OpenWrt DNS-over-Https纯净上网</a>
  </h1>
  <p class="article-author">By
    
      <a href="http://www.lstop.pub" title="Zong">Zong</a>
    </p>
  <p class="article-time">
    <time datetime="2019-04-11T03:15:50.000Z" itemprop="datePublished">2019-04-11</time>
    
  </p>
</header>

	<div class="article-content">
		
		
		<div id="toc" class="toc-article">
			<strong class="toc-title">Contents</strong>
		<ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#DNS-over-Https（DoH）"><span class="toc-number">1.</span> <span class="toc-text">DNS-over-Https（DoH）</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#Dnsmasq"><span class="toc-number">2.</span> <span class="toc-text">Dnsmasq</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#ipset-iptables"><span class="toc-number">3.</span> <span class="toc-text">ipset+iptables</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#ss-结尾"><span class="toc-number">4.</span> <span class="toc-text">ss + 结尾</span></a></li></ol>
		</div>
		
		<p>最近发现DNS很不稳定，我们公司的正常域名在福建解析不出了，以前在家里路由设置的科学上网DNS也不行了（ss-tunel转发），还一度怀疑是ss的问题，折腾了两天，郁闷。。。<br>按网上方法使用chinadns、dns-forwarder试了一下也不行。<br>既然知道问题是DNS，那这问题必须要解决！</p>
<h1 id="DNS-over-Https（DoH）"><a href="#DNS-over-Https（DoH）" class="headerlink" title="DNS-over-Https（DoH）"></a>DNS-over-Https（DoH）</h1><p>众所周知，DNS是非常古老的协议，基于udp明文，没有校验，GFW通过污染公共DNS净化网络是常规操作。<br>所以这里我们的应对措施是使用DNS-over-Https，进行加密dns查询。这种协议已经被firefox浏览器采用。<br>我用的OpenWrt版本是18.06.1，可以通过下面的命令安装</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">opkg update</span><br><span class="line">opkg install https_dns_proxy</span><br></pre></td></tr></table></figure>

<p>安装完成后进行一些配置，主要是端口改成5353，默认使用google的服务器，国内有个叫红鱼的，我在试用</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">config https_dns_proxy</span><br><span class="line">        option listen_addr &apos;127.0.0.1&apos;</span><br><span class="line">        option listen_port &apos;5353&apos;</span><br><span class="line">        option user &apos;nobody&apos;</span><br><span class="line">        option group &apos;nogroup&apos;</span><br><span class="line">        option subnet_addr &apos;&apos;</span><br><span class="line">        option proxy_server &apos;&apos;</span><br><span class="line">        option url_prefix &apos;https://dns.rubyfish.cn/dns-query?&apos;</span><br><span class="line">        #option url_prefix &apos;https://dns.google.com/resolve?&apos;</span><br></pre></td></tr></table></figure>

<p>端口用5353是配合dnsmasq，把需要番茄的域名与国内域名区分解析，如果你路由本来跑了chinadns和dns-forwarder的可以停掉了，防止5353端口被占用，这两个我这边已经阵亡。</p>
<h1 id="Dnsmasq"><a href="#Dnsmasq" class="headerlink" title="Dnsmasq"></a>Dnsmasq</h1><p>这个在18版Openwrt已经是dnsmasq-full，是默认的内置dns，这个东西还是可以的，我们用它配置特点域名解析转向使用DoH。<br>新建并进入目录 /etc/dnsmasq.d ，从 <a href="https://cokebar.github.io/gfwlist2dnsmasq/dnsmasq_gfwlist_ipset.conf" target="_blank" rel="noopener">https://cokebar.github.io/gfwlist2dnsmasq/dnsmasq_gfwlist_ipset.conf</a> 下载 dnsmasq_gfwlist_ipset.conf 后放入该目录。<br>这里感谢前辈的工作，为我们积累了这个list。里面的域名指定了使用127.0.0.1#5353也就是我们配的DoH服务进行解析。</p>
<p>然后修改一下dnsmasq的启动文件，这个东西原版估计有bug，生成的配置conf-dir永远是/tmp/dnsmasq.d，无论我怎么改/etc/dnsmasq.conf都不行。。。<br>启动文件是 /etc/init.d/dnsmasq，vi查找/tmp/dnsmasq.d替换成/etc/dnsmasq.d吧</p>
<h1 id="ipset-iptables"><a href="#ipset-iptables" class="headerlink" title="ipset+iptables"></a>ipset+iptables</h1><p>按上面配置了之后，特定域名走DoH解析，解析结果会保存到ipset，这里我们要把ipset里面ip的流量通过iptables转发到ss。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"># 新建ipset叫gfwlist</span><br><span class="line">ipset -N gfwlist iphash</span><br><span class="line">#匹配gfwlist的流量转到1234端口（你ss的端口）</span><br><span class="line">iptables -t nat -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1234</span><br><span class="line">iptables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1234</span><br></pre></td></tr></table></figure>

<p>上面的命令写进/etc/rc.local，路由每次重启都执行</p>
<h1 id="ss-结尾"><a href="#ss-结尾" class="headerlink" title="ss + 结尾"></a>ss + 结尾</h1><p>ss这个肯定是需要的，不过网上教程很多，就不重复了，呵呵，反正本篇主要解决dns污染问题，主要技术是DoH。<br>简单总结一下，客户端dns请求通过路由dnsmasq把特殊域名通过DoH解析，结果存入ipset，iptables匹配ipset走ss。</p>
<div id="flowchart-0" class="flow-chart"></div>

<p>ps：还有一个dns加密的方式叫DNSCrypt，协议比DoH早一点，貌似不是很活跃，我试了一下也可以，有兴趣参考<a href="https://onlyke.com/html/713.html" target="_blank" rel="noopener">这里</a></p>
<p>其他参考：<br><a href="http://www.keepwn.com/howto/route-traffic-selectively-by-domain-on-openwrt/" target="_blank" rel="noopener">Openwrt上使用dnsmasq和ipset实现域名分流</a><br><a href="https://www.imssip.com/article/2018/11/26/25.html" target="_blank" rel="noopener">OPENWRT + DoH (DNS over HTTPS)</a><br><a href="http://swsmile.info/2019/01/30/%E3%80%90Network%E3%80%91%E7%BF%BB%E5%A2%99-Shadowsocks-OpenWRT-dnsmasq-full-ipset-gfwList-%E5%AE%9E%E7%8E%B0%E8%B7%AF%E7%94%B1%E5%99%A8%EF%BC%88%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8mini%EF%BC%89%E8%87%AA%E5%8A%A8%E7%BF%BB%E5%A2%99/" target="_blank" rel="noopener">【Network】翻墙 - Shadowsocks + OpenWRT + dnsmasq-full + ipset + gfwList 实现路由器（小米路由器 mini）自动翻墙</a><script src="https://cdnjs.cloudflare.com/ajax/libs/raphael/2.2.7/raphael.min.js"></script><script src="https://cdnjs.cloudflare.com/ajax/libs/flowchart/1.6.5/flowchart.min.js"></script><textarea id="flowchart-0-code" style="display: none">dnsreq=>start: DNS请求
dnsmasq=>operation: dnsmasq
gfwlist=>condition: gfwList
DoH=>operation: DoH解析,保存到IPSet
iptable=>operation: iptable转发
ss=>operation: ss转发
net=>operation: 正常上网
e=>end: END

dnsreq->dnsmasq->gfwlist
gfwlist(yes,right)->DoH(right)->iptable(right)->ss(right)->e
gfwlist(no)->net->e</textarea><textarea id="flowchart-0-options" style="display: none">{"scale":1,"line-width":2,"line-length":50,"text-margin":10,"font-size":12}</textarea><script>  var code = document.getElementById("flowchart-0-code").value;  var options = JSON.parse(decodeURIComponent(document.getElementById("flowchart-0-options").value));  var diagram = flowchart.parse(code);  diagram.drawSVG("flowchart-0", options);</script></p>
  
	</div>
		<footer class="article-footer clearfix">

  <div class="article-tags">
  
  <span></span> <a href="/tags/OpenWrt/">OpenWrt</a><a href="/tags/DNS/">DNS</a>
  </div>




<div class="article-share" id="share">

  <div data-url="http://www.lstop.pub/2019/04/11/OpenWrt-DNS-over-Https纯净上网/" data-title="OpenWrt DNS-over-Https纯净上网 | Zong&#39;s blog" data-tsina="" class="share clearfix">
  </div>

</div>
</footer>   	       
	</article>
	
<nav class="article-nav clearfix">
 
 <div class="prev" >
 <a href="/2019/05/07/使用cAdvisor监控节点中的容器资源/" title="使用cAdvisor监控节点中的容器资源">
  <strong>PREVIOUS:</strong><br/>
  <span>
  使用cAdvisor监控节点中的容器资源</span>
</a>
</div>


<div class="next">
<a href="/2018/06/05/traefik实现ssl双向认证/"  title="traefik实现ssl双向认证">
 <strong>NEXT:</strong><br/> 
 <span>traefik实现ssl双向认证
</span>
</a>
</div>

</nav>

	
</div>  
      <div class="openaside"><a class="navbutton" href="#" title="Show Sidebar"></a></div>

  <div id="toc" class="toc-aside">
  <strong class="toc-title">Contents</strong>
  <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#DNS-over-Https（DoH）"><span class="toc-number">1.</span> <span class="toc-text">DNS-over-Https（DoH）</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#Dnsmasq"><span class="toc-number">2.</span> <span class="toc-text">Dnsmasq</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#ipset-iptables"><span class="toc-number">3.</span> <span class="toc-text">ipset+iptables</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#ss-结尾"><span class="toc-number">4.</span> <span class="toc-text">ss + 结尾</span></a></li></ol>
  </div>

<div id="asidepart">
<div class="closeaside"><a class="closebutton" href="#" title="Hide Sidebar"></a></div>
<aside class="clearfix">

  
<div class="tagslist">
	<p class="asidetitle">Tags</p>
		<ul class="clearfix">
		
			<li><a href="/tags/Airtest/" title="Airtest">Airtest<sup>1</sup></a></li>
		
			<li><a href="/tags/DNS/" title="DNS">DNS<sup>1</sup></a></li>
		
			<li><a href="/tags/GitLab/" title="GitLab">GitLab<sup>1</sup></a></li>
		
			<li><a href="/tags/K8s/" title="K8s">K8s<sup>8</sup></a></li>
		
			<li><a href="/tags/Linux/" title="Linux">Linux<sup>1</sup></a></li>
		
			<li><a href="/tags/MongoDB/" title="MongoDB">MongoDB<sup>2</sup></a></li>
		
			<li><a href="/tags/OpenWrt/" title="OpenWrt">OpenWrt<sup>1</sup></a></li>
		
			<li><a href="/tags/Python/" title="Python">Python<sup>2</sup></a></li>
		
			<li><a href="/tags/RabbitMQ/" title="RabbitMQ">RabbitMQ<sup>1</sup></a></li>
		
			<li><a href="/tags/calico/" title="calico">calico<sup>1</sup></a></li>
		
			<li><a href="/tags/cdn/" title="cdn">cdn<sup>1</sup></a></li>
		
			<li><a href="/tags/docker/" title="docker">docker<sup>3</sup></a></li>
		
			<li><a href="/tags/docker-registry/" title="docker registry">docker registry<sup>1</sup></a></li>
		
			<li><a href="/tags/elasticsearch/" title="elasticsearch">elasticsearch<sup>3</sup></a></li>
		
			<li><a href="/tags/elk/" title="elk">elk<sup>3</sup></a></li>
		
			<li><a href="/tags/k8s/" title="k8s">k8s<sup>3</sup></a></li>
		
			<li><a href="/tags/kubernetes/" title="kubernetes">kubernetes<sup>1</sup></a></li>
		
			<li><a href="/tags/nginx/" title="nginx">nginx<sup>1</sup></a></li>
		
			<li><a href="/tags/python/" title="python">python<sup>1</sup></a></li>
		
			<li><a href="/tags/tomcat/" title="tomcat">tomcat<sup>1</sup></a></li>
		
		</ul>
</div>


  <div class="linkslist">
  <p class="asidetitle">Links</p>
    <ul>
      <li><a href="http://www.v2ex.com/?r=zong400" target="_blank" title="V2EX">V2EX</a></li>
      <li><a href="http://hexo.io" target="_blank" title="Hexo">Hexo</a></li>
	  <li><a href="https://promotion.aliyun.com/ntms/yunparter/invite.html?userCode=s0bh6uzq" target="_blank" title="阿里云">阿里云</a></li>
	  <li><a href="https://cloud.tencent.com/redirect.php?redirect=1014&cps_key=5bd9deb84d4d9f34b65fb934e12d03e3&from=console" target="_blank" title="腾讯云">腾讯云</a></li>
    </ul>
</div>


</aside>
</div>
    </div>
    <footer><div id="footer" >
	
	
	<div class="social-font" class="clearfix">
		
		
		
		
	</div>
		<p class="copyright">Hosted by <a href="https://pages.coding.me/" target="_blank" title="Coding Pages">Coding Pages</a></p>
		<p class="copyright">Powered by <a href="http://hexo.io" target="_blank" title="hexo">hexo</a> and Theme by <a href="https://github.com/wizicer/iceman" target="_blank" title="Iceman">Iceman</a> © 2020 
		
		<a href="http://www.lstop.pub" target="_blank" title="Zong">Zong</a>
		
		</p>
</div>
</footer>
    <script src="//cdn.staticfile.org/jquery/2.1.0/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function(){ 
  $('.navbar').click(function(){
    $('header nav').toggleClass('shownav');
  });
  var myWidth = 0;
  function getSize(){
    if( typeof( window.innerWidth ) == 'number' ) {
      myWidth = window.innerWidth;
    } else if( document.documentElement && document.documentElement.clientWidth) {
      myWidth = document.documentElement.clientWidth;
    };
  };
  var m = $('#main'),
      a = $('#asidepart'),
      c = $('.closeaside'),
      o = $('.openaside');
  $(window).resize(function(){
    getSize(); 
    if (myWidth >= 1024) {
      $('header nav').removeClass('shownav');
    }else
    {
      m.removeClass('moveMain');
      a.css('display', 'block').removeClass('fadeOut');
      o.css('display', 'none');
      
      $('#toc.toc-aside').css('display', 'none');
        
    }
  });
  c.click(function(){
    a.addClass('fadeOut').css('display', 'none');
    o.css('display', 'block').addClass('fadeIn');
    m.addClass('moveMain');
  });
  o.click(function(){
    o.css('display', 'none').removeClass('beforeFadeIn');
    a.css('display', 'block').removeClass('fadeOut').addClass('fadeIn');      
    m.removeClass('moveMain');
  });
  $(window).scroll(function(){
    o.css("top",Math.max(80,260-$(this).scrollTop()));
  });
});
</script>

<script type="text/javascript">
$(document).ready(function(){ 
  var ai = $('.article-content>iframe'),
      ae = $('.article-content>embed'),
      t  = $('#toc'),
      h  = $('article h2')
      ah = $('article h2'),
      ta = $('#toc.toc-aside'),
      o  = $('.openaside'),
      c  = $('.closeaside');
  if(ai.length>0){
    ai.wrap('<div class="video-container" />');
  };
  if(ae.length>0){
   ae.wrap('<div class="video-container" />');
  };
  if(ah.length==0){
    t.css('display','none');
  }else{
    c.click(function(){
      ta.css('display', 'block').addClass('fadeIn');
    });
    o.click(function(){
      ta.css('display', 'none');
    });
    $(window).scroll(function(){
      ta.css("top",Math.max(140,320-$(this).scrollTop()));
    });
  };
});
</script>


<script type="text/javascript">
$(document).ready(function(){ 
  var $this = $('.share'),
      url = $this.attr('data-url'),
      encodedUrl = encodeURIComponent(url),
      title = $this.attr('data-title'),
      tsina = $this.attr('data-tsina');
  var html = [
  '<a href="#" class="overlay" id="qrcode"></a>',
  '<div class="qrcode clearfix"><span>扫描二维码分享到微信朋友圈</span><a class="qrclose" href="#share"></a><strong>Loading...Please wait</strong><img id="qrcode-pic" data-src="http://s.jiathis.com/qrcode.php?url=' + encodedUrl + '"/></div>',
  '<a href="#textlogo" class="article-back-to-top" title="Top"></a>',
  '<a href="https://www.facebook.com/sharer.php?u=' + encodedUrl + '" class="article-share-facebook" target="_blank" title="Facebook"></a>',
  '<a href="#qrcode" class="article-share-qrcode" title="QRcode"></a>',
  '<a href="https://twitter.com/intent/tweet?url=' + encodedUrl + '" class="article-share-twitter" target="_blank" title="Twitter"></a>',
  '<a href="http://service.weibo.com/share/share.php?title='+title+'&url='+encodedUrl +'&ralateUid='+ tsina +'&searchPic=true&style=number' +'" class="article-share-weibo" target="_blank" title="Weibo"></a>',
  '<span title="Share to"></span>'
  ].join('');
  $this.append(html);
  $('.article-share-qrcode').click(function(){
    var imgSrc = $('#qrcode-pic').attr('data-src');
    $('#qrcode-pic').attr('src', imgSrc);
    $('#qrcode-pic').load(function(){
        $('.qrcode strong').text(' ');
    });
  });
});     
</script>









  </body>
</html>

